@arcote.tech/arc-cli 0.5.7 → 0.6.0

package/src/deploy/terraform.ts

@@ -1,14 +1,17 @@
-import { spawn } from "bun";
+import { spawn as nodeSpawn } from "node:child_process";
+import { createHash } from "node:crypto";
 import { existsSync, mkdirSync, writeFileSync } from "fs";
-import { tmpdir } from "os";
+import { homedir } from "os";
 import { join } from "path";
 import { ASSETS, materializeAssets } from "./assets";
 import type { DeployProvisionTerraform } from "./config";
 
 // ---------------------------------------------------------------------------
-// Runs Terraform from embedded assets. Inputs are passed via a generated
-// terraform.tfvars file in the temp working dir — nothing touches the user's
-// project directory.
+// Runs Terraform from embedded assets. State is persisted per workspace under
+// ~/.arc-deploy/<workspaceHash>/tf/ so retries pick up the existing state file
+// instead of trying to recreate already-provisioned resources from scratch.
+// Inputs are passed via a generated terraform.tfvars file — nothing touches
+// the user's project directory.
 // ---------------------------------------------------------------------------
 
 export interface TerraformInputs {
@@ -17,20 +20,28 @@ export interface TerraformInputs {
   token: string;
   /** Deterministic server name shown in Hetzner Console. */
   serverName: string;
+  /** Workspace root — used to scope state dir per project. */
+  workspaceDir: string;
 }
 
 export interface TerraformOutputs {
   serverIp: string;
   serverName: string;
-  /** Working dir where state + vars live — caller may keep or delete. */
+  /** Working dir where state + vars live — persistent across runs. */
   workDir: string;
 }
 
 export async function runTerraform(
   inputs: TerraformInputs,
 ): Promise<TerraformOutputs> {
-  const workDir = join(tmpdir(), "arc-deploy", `tf-${Date.now()}`);
+  const wsHash = createHash("sha256")
+    .update(inputs.workspaceDir)
+    .digest("hex")
+    .slice(0, 16);
+  const workDir = join(homedir(), ".arc-deploy", wsHash, "tf");
   mkdirSync(workDir, { recursive: true });
+  // Idempotent: re-materialize assets each run (they may have changed across
+  // CLI versions). State files (.tfstate, .terraform/) are preserved.
   await materializeAssets(workDir, ASSETS.terraform);
 
   // Write tfvars — NEVER put token inline in main.tf
@@ -72,29 +83,38 @@ export async function runTerraform(
 }
 
 async function runTf(workDir: string, args: string[]): Promise<void> {
-  const proc = spawn({
-    cmd: ["terraform", ...args],
-    cwd: workDir,
-    stdout: "inherit",
-    stderr: "inherit",
+  // node:child_process with piped stdio + manual forwarding — Bun.spawn's
+  // "inherit" inherits FDs as-is, which breaks when our own stdio is
+  // non-blocking (e.g. backgrounded by an outer process).
+  const exit = await new Promise<number>((resolve, reject) => {
+    const proc = nodeSpawn("terraform", args, {
+      cwd: workDir,
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    proc.stdout?.on("data", (chunk: Buffer) => process.stdout.write(chunk));
+    proc.stderr?.on("data", (chunk: Buffer) => process.stderr.write(chunk));
+    proc.on("error", reject);
+    proc.on("exit", (code) => resolve(code ?? 1));
   });
-  const exit = await proc.exited;
   if (exit !== 0) {
     throw new Error(`terraform ${args[0]} failed (exit ${exit})`);
   }
 }
 
 async function runTfCapture(workDir: string, args: string[]): Promise<string> {
-  const proc = spawn({
-    cmd: ["terraform", ...args],
-    cwd: workDir,
-    stdout: "pipe",
-    stderr: "pipe",
+  let stdout = "";
+  const exit = await new Promise<number>((resolve, reject) => {
+    const proc = nodeSpawn("terraform", args, {
+      cwd: workDir,
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    proc.stdout?.on("data", (chunk: Buffer) => {
+      stdout += chunk.toString("utf-8");
+    });
+    proc.stderr?.on("data", (chunk: Buffer) => process.stderr.write(chunk));
+    proc.on("error", reject);
+    proc.on("exit", (code) => resolve(code ?? 1));
   });
-  const [stdout, exit] = await Promise.all([
-    new Response(proc.stdout).text(),
-    proc.exited,
-  ]);
   if (exit !== 0) {
     throw new Error(`terraform ${args[0]} failed (exit ${exit})`);
   }

package/src/index.ts

@@ -2,6 +2,7 @@
 
 import { Command } from "commander";
 import { build } from "./commands/build";
+import { buildShell } from "./commands/build-shell";
 import { dev } from "./commands/dev";
 import { platformBuild } from "./commands/platform-build";
 import { platformDeploy } from "./commands/platform-deploy";
@@ -62,6 +63,16 @@ platform
     platformDeploy(env, opts),
   );
 
+// Hidden subcommand used by the runtime container's entrypoint / API handlers.
+// Not shown in --help; runs against an installed node_modules tree to emit
+// browser shell bundles for the discovered framework peers.
+program
+  .command("_build-shell", { hidden: true })
+  .description("Build framework shell bundles from a node_modules dir")
+  .requiredOption("--out <dir>", "Output directory for shell .js bundles")
+  .requiredOption("--from <dir>", "node_modules directory to discover packages in")
+  .action((opts: { out: string; from: string }) => buildShell(opts));
+
 // Parse command line arguments
 program.parse(process.argv);
 

package/src/platform/deploy-api.ts

@@ -1,20 +1,44 @@
 import type { ArcHttpHandler } from "@arcote.tech/arc-host";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { dirname, join, normalize, relative, resolve } from "path";
+import { spawn } from "bun";
+import {
+  cpSync,
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  rmSync,
+  writeFileSync,
+} from "fs";
+import { dirname, join, normalize, resolve } from "path";
 import { sha256Hex } from "../builder/module-builder";
 import type { BuildManifest, WorkspaceInfo } from "./shared";
 
 // ---------------------------------------------------------------------------
-// Deploy API — hot-swap modules/shell/styles via HTTP
+// Deploy API — v0.6 per-module push model.
 //
 // Mounted on the same Bun.serve as the main platform server. Gated by
 // ARC_DEPLOY_API=1 so dev/localhost starts never expose it. Security boundary
-// is entirely network-layer: in production the arc container publishes :5005
-// only to docker-network, and the Caddy delegator exposes /api/deploy/* only
-// on its 127.0.0.1-bound management listener (:2019). Developer reaches it
-// exclusively through `ssh -L`.
+// is network-layer: in production the arc container publishes :5005 only to
+// docker-network; Caddy exposes /api/deploy/* only on its 127.0.0.1:2019
+// management listener. Developer reaches it exclusively through `ssh -L`.
+// No auth tokens — the SSH key is the auth.
 //
-// No auth tokens in code — the SSH key is the auth.
+// Endpoints:
+//   GET  /api/deploy/health       — liveness + module count
+//   GET  /api/deploy/framework    — { depsHash } for diff vs local
+//   GET  /api/deploy/manifest     — full current manifest
+//   POST /api/deploy/framework    — multipart (package.json + bun.lock)
+//                                   → bun install w platform dir, response
+//                                     needsRestart=true (CLI does docker restart)
+//   POST /api/deploy/modules/:name — multipart (browser.js, server.js?,
+//                                   package.json, access.json?)
+//                                   → write to .staging/modules/<name>/,
+//                                     bun install jeśli deps changed
+//   POST /api/deploy/styles       — multipart (styles.css, theme.css?)
+//                                   → write to .staging/
+//   POST /api/deploy/manifest     — JSON commit phase: atomic swap staging→live,
+//                                   setManifest, SSE notify; response includes
+//                                   needsRestart when any module's server.js
+//                                   changed.
 // ---------------------------------------------------------------------------
 
 export interface DeployApiOptions {
@@ -24,113 +48,289 @@ export interface DeployApiOptions {
   notifyReload: (m: BuildManifest) => void;
 }
 
-/**
- * Create deploy API handler. Returns null for non-deploy requests so the main
- * handler chain continues. Routes:
- *
- *   GET  /api/deploy/manifest    — current BuildManifest (hashes etc.)
- *   POST /api/deploy/manifest    — replace manifest; no file writes
- *   POST /api/deploy/modules     — multipart upload of .js module files
- *   POST /api/deploy/shell       — multipart upload of shell/ files + styles.css
- *   GET  /api/deploy/health      — liveness
- */
 export function createDeployApiHandler(opts: DeployApiOptions): ArcHttpHandler {
   return async (req, url, ctx) => {
     const p = url.pathname;
     if (!p.startsWith("/api/deploy/")) return null;
+    const cors = ctx.corsHeaders;
 
+    // -----------------------------------------------------------------------
+    // GET endpoints — state probes
+    // -----------------------------------------------------------------------
     if (p === "/api/deploy/health" && req.method === "GET") {
       return Response.json(
         { ok: true, modules: opts.getManifest().modules.length },
-        { headers: ctx.corsHeaders },
+        { headers: cors },
       );
     }
 
+    if (p === "/api/deploy/framework" && req.method === "GET") {
+      const hashPath = join(opts.ws.arcDir, ".deps-hash");
+      const depsHash = existsSync(hashPath)
+        ? readFileSync(hashPath, "utf-8").trim()
+        : null;
+      return Response.json({ depsHash }, { headers: cors });
+    }
+
     if (p === "/api/deploy/manifest" && req.method === "GET") {
-      return Response.json(opts.getManifest(), { headers: ctx.corsHeaders });
+      return Response.json(opts.getManifest(), { headers: cors });
     }
 
-    if (p === "/api/deploy/manifest" && req.method === "POST") {
-      const body = (await req.json()) as BuildManifest;
-      if (!validateManifest(body)) {
+    // -----------------------------------------------------------------------
+    // POST /api/deploy/framework — install framework peers + rebuild shell
+    // -----------------------------------------------------------------------
+    if (p === "/api/deploy/framework" && req.method === "POST") {
+      const form = await req.formData();
+      const pkgFile = form.get("package.json");
+      const lockFile = form.get("bun.lock");
+      if (!isFile(pkgFile) || !isFile(lockFile)) {
+        return badRequest("framework requires package.json + bun.lock", cors);
+      }
+
+      mkdirSync(opts.ws.arcDir, { recursive: true });
+      writeFileSync(
+        join(opts.ws.arcDir, "package.json"),
+        Buffer.from(await pkgFile.arrayBuffer()),
+      );
+      writeFileSync(
+        join(opts.ws.arcDir, "bun.lock"),
+        Buffer.from(await lockFile.arrayBuffer()),
+      );
+
+      const start = Date.now();
+      const installOk = await runBun(
+        ["install", "--production", "--frozen-lockfile"],
+        opts.ws.arcDir,
+      );
+      if (!installOk) {
         return Response.json(
-          { error: "Invalid manifest body" },
-          { status: 400, headers: ctx.corsHeaders },
+          { error: "bun install failed" },
+          { status: 500, headers: cors },
         );
       }
-      writeFileSync(
-        join(opts.ws.modulesDir, "manifest.json"),
-        JSON.stringify(body, null, 2),
+
+      // Rebuild shell from freshly-installed framework peers. Hidden _build-shell
+      // subcommand discovers @arcote.tech/* + react under --from.
+      const cliBin = process.argv[1] ?? "arc";
+      const shellOk = await runBun(
+        [
+          "run",
+          cliBin,
+          "_build-shell",
+          "--out",
+          opts.ws.shellDir,
+          "--from",
+          join(opts.ws.arcDir, "node_modules"),
+        ],
+        opts.ws.arcDir,
       );
-      opts.setManifest(body);
-      opts.notifyReload(body);
+      if (!shellOk) {
+        return Response.json(
+          { error: "shell build failed" },
+          { status: 500, headers: cors },
+        );
+      }
+
+      // Compute fresh deps-hash and persist
+      const newHash = sha256Hex(
+        Buffer.concat([
+          readFileSync(join(opts.ws.arcDir, "package.json")),
+          readFileSync(join(opts.ws.arcDir, "bun.lock")),
+        ]),
+      );
+      writeFileSync(join(opts.ws.arcDir, ".deps-hash"), newHash + "\n");
+
       return Response.json(
-        { ok: true, moduleCount: body.modules.length },
-        { headers: ctx.corsHeaders },
+        {
+          changed: true,
+          tookMs: Date.now() - start,
+          needsRestart: true,
+        },
+        { headers: cors },
       );
     }
 
-    if (p === "/api/deploy/modules" && req.method === "POST") {
+    // -----------------------------------------------------------------------
+    // POST /api/deploy/modules/:name — per-module push (browser + server +
+    //   deps + access) into staging
+    // -----------------------------------------------------------------------
+    const moduleMatch = p.match(/^\/api\/deploy\/modules\/([^/]+)$/);
+    if (moduleMatch && req.method === "POST") {
+      const safeName = sanitizeName(moduleMatch[1]);
+      if (!safeName) return badRequest("invalid module name", cors);
+
       const form = await req.formData();
-      const written = await writeUploadedFiles(form, opts.ws.modulesDir);
+      const browser = form.get("browser.js");
+      if (!isFile(browser)) {
+        return badRequest("modules/<name> requires browser.js", cors);
+      }
+
+      const stagingDir = join(
+        opts.ws.arcDir,
+        ".staging",
+        "modules",
+        safeName,
+      );
+      mkdirSync(stagingDir, { recursive: true });
+
+      await writeField(stagingDir, "browser.js", browser);
+      const server = form.get("server.js");
+      if (isFile(server)) {
+        await writeField(stagingDir, "server.js", server);
+      }
+      const pkg = form.get("package.json");
+      if (isFile(pkg)) {
+        await writeField(stagingDir, "package.json", pkg);
+      }
+      const access = form.get("access.json");
+      if (isFile(access)) {
+        await writeField(stagingDir, "access.json", access);
+      }
+
+      // Compare staging deps-hash vs live; install only when different.
+      const stagingPkgPath = join(stagingDir, "package.json");
+      const livePkgPath = join(opts.ws.arcDir, "modules", safeName, "package.json");
+      const stagingPkgBytes = existsSync(stagingPkgPath)
+        ? readFileSync(stagingPkgPath)
+        : Buffer.from("");
+      const livePkgBytes = existsSync(livePkgPath)
+        ? readFileSync(livePkgPath)
+        : Buffer.from("");
+      const depsChanged =
+        sha256Hex(stagingPkgBytes) !== sha256Hex(livePkgBytes);
+
+      writeFileSync(
+        join(stagingDir, ".deps-hash"),
+        sha256Hex(stagingPkgBytes) + "\n",
+      );
+
+      if (depsChanged && existsSync(stagingPkgPath)) {
+        const ok = await runBun(["install", "--production"], stagingDir);
+        if (!ok) {
+          rmSync(stagingDir, { recursive: true, force: true });
+          return Response.json(
+            { error: `bun install failed for module ${safeName}` },
+            { status: 500, headers: cors },
+          );
+        }
+      } else if (!depsChanged) {
+        // Preserve previous node_modules so atomic swap doesn't blow it away.
+        const liveNodeModules = join(
+          opts.ws.arcDir,
+          "modules",
+          safeName,
+          "node_modules",
+        );
+        if (existsSync(liveNodeModules)) {
+          cpSync(liveNodeModules, join(stagingDir, "node_modules"), {
+            recursive: true,
+          });
+        }
+      }
+
       return Response.json(
-        { ok: true, written },
-        { headers: ctx.corsHeaders },
+        {
+          ok: true,
+          name: safeName,
+          depsChanged,
+          serverIncluded: isFile(server),
+        },
+        { headers: cors },
       );
     }
 
-    if (p === "/api/deploy/shell" && req.method === "POST") {
+    // -----------------------------------------------------------------------
+    // POST /api/deploy/styles — global styles to staging
+    // -----------------------------------------------------------------------
+    if (p === "/api/deploy/styles" && req.method === "POST") {
       const form = await req.formData();
-      const shellFiles: File[] = [];
-      const rootFiles: Array<{ name: string; file: File }> = [];
-      for (const [name, value] of form.entries()) {
-        if (!isFile(value)) continue;
-        // styles.css / theme.css go to arcDir, everything else goes to shellDir
-        if (name === "styles.css" || name === "theme.css") {
-          rootFiles.push({ name, file: value });
-        } else {
-          shellFiles.push(value);
+      const stagingDir = join(opts.ws.arcDir, ".staging");
+      mkdirSync(stagingDir, { recursive: true });
+      const written: string[] = [];
+      for (const name of ["styles.css", "theme.css"] as const) {
+        const f = form.get(name);
+        if (isFile(f)) {
+          await writeField(stagingDir, name, f);
+          written.push(name);
+        }
+      }
+      return Response.json({ ok: true, written }, { headers: cors });
+    }
+
+    // -----------------------------------------------------------------------
+    // POST /api/deploy/manifest — commit phase
+    // -----------------------------------------------------------------------
+    if (p === "/api/deploy/manifest" && req.method === "POST") {
+      const body = (await req.json()) as BuildManifest;
+      if (!validateManifest(body)) {
+        return badRequest("invalid manifest body", cors);
+      }
+
+      const stagingRoot = join(opts.ws.arcDir, ".staging");
+      const stagingModules = join(stagingRoot, "modules");
+      let serverSideChanged = false;
+
+      // Per-module atomic swap. We don't use rename(2) across volumes; cp+rm
+      // is good enough on a single docker volume.
+      if (existsSync(stagingModules)) {
+        const stagedNames = readDir(stagingModules);
+        for (const name of stagedNames) {
+          const src = join(stagingModules, name);
+          const dst = join(opts.ws.arcDir, "modules", name);
+          if (existsSync(join(src, "server.js"))) serverSideChanged = true;
+          if (existsSync(dst)) {
+            rmSync(dst, { recursive: true, force: true });
+          }
+          mkdirSync(dirname(dst), { recursive: true });
+          cpSync(src, dst, { recursive: true });
+        }
+      }
+
+      // Styles swap
+      for (const name of ["styles.css", "theme.css"] as const) {
+        const src = join(stagingRoot, name);
+        if (existsSync(src)) {
+          cpSync(src, join(opts.ws.arcDir, name));
         }
       }
-      const writtenShell = await writeUploadedFileList(
-        shellFiles,
-        opts.ws.shellDir,
+
+      // Persist new manifest
+      writeFileSync(
+        join(opts.ws.modulesDir, "manifest.json"),
+        JSON.stringify(body, null, 2),
       );
-      const writtenRoot: string[] = [];
-      for (const { name, file } of rootFiles) {
-        const target = join(opts.ws.arcDir, name);
-        writeFileSync(target, Buffer.from(await file.arrayBuffer()));
-        writtenRoot.push(name);
+      opts.setManifest(body);
+
+      // Cleanup staging
+      rmSync(stagingRoot, { recursive: true, force: true });
+
+      if (!serverSideChanged) {
+        // Browser-only change → SSE notify clients, zero restart.
+        opts.notifyReload(body);
       }
+
       return Response.json(
-        { ok: true, written: [...writtenShell, ...writtenRoot] },
-        { headers: ctx.corsHeaders },
+        {
+          ok: true,
+          moduleCount: body.modules.length,
+          needsRestart: serverSideChanged,
+        },
+        { headers: cors },
       );
     }
 
-    return new Response("Not Found", {
-      status: 404,
-      headers: ctx.corsHeaders,
-    });
+    return new Response("Not Found", { status: 404, headers: cors });
   };
 }
 
 // ---------------------------------------------------------------------------
-// File writes — with path traversal guard
+// Helpers
 // ---------------------------------------------------------------------------
 
-async function writeUploadedFiles(
-  form: FormData,
-  targetDir: string,
-): Promise<string[]> {
-  const files: File[] = [];
-  for (const [, value] of form.entries()) {
-    if (isFile(value)) files.push(value);
-  }
-  return writeUploadedFileList(files, targetDir);
+function badRequest(msg: string, cors: HeadersInit): Response {
+  return Response.json({ error: msg }, { status: 400, headers: cors });
 }
 
-/** Runtime File check — DOM's File is a Blob subclass, available in Bun runtime. */
 function isFile(v: unknown): v is File {
   return (
     typeof v === "object" &&
@@ -140,29 +340,42 @@ function isFile(v: unknown): v is File {
   );
 }
 
-async function writeUploadedFileList(
-  files: File[],
+async function writeField(
   targetDir: string,
-): Promise<string[]> {
-  const written: string[] = [];
+  name: string,
+  file: File,
+): Promise<void> {
+  // Safety: reject names attempting traversal. Field names are CLI-controlled
+  // but treat as untrusted anyway (network-facing endpoint).
+  const safe = normalize(name);
   const safeRoot = resolve(targetDir);
-  mkdirSync(safeRoot, { recursive: true });
+  const full = resolve(safeRoot, safe);
+  if (!full.startsWith(safeRoot + "/") && full !== safeRoot) {
+    throw new Error(`Path traversal rejected: ${name}`);
+  }
+  mkdirSync(dirname(full), { recursive: true });
+  writeFileSync(full, Buffer.from(await file.arrayBuffer()));
+}
 
-  for (const file of files) {
-    const rel = normalize(file.name);
-    const full = resolve(safeRoot, rel);
-    if (!full.startsWith(safeRoot + "/") && full !== safeRoot) {
-      throw new Error(`Path traversal rejected: ${file.name}`);
-    }
-    mkdirSync(dirname(full), { recursive: true });
-    writeFileSync(full, Buffer.from(await file.arrayBuffer()));
+function sanitizeName(name: string): string | null {
+  if (!/^[a-zA-Z0-9_-]+$/.test(name)) return null;
+  return name;
+}
 
-    // Verify upload hash matches the file we wrote — defensive check that
-    // rejects accidental corruption mid-transit. Modules carry a hash prefix
-    // convention in their filename header ("<hash>:<name>") from the CLI.
-    written.push(relative(safeRoot, full) || rel);
-  }
-  return written;
+function readDir(dir: string): string[] {
+  if (!existsSync(dir)) return [];
+  return require("fs").readdirSync(dir) as string[];
+}
+
+async function runBun(args: string[], cwd: string): Promise<boolean> {
+  const proc = spawn({
+    cmd: ["bun", ...args],
+    cwd,
+    stdout: "inherit",
+    stderr: "inherit",
+  });
+  const exit = await proc.exited;
+  return exit === 0;
 }
 
 function validateManifest(m: unknown): m is BuildManifest {

package/src/platform/shared.ts

@@ -28,6 +28,11 @@ import {
   sha256OfJson,
 } from "../builder/hash";
 import { pAll } from "../builder/parallel";
+import {
+  collectFrameworkDeps,
+  collectModuleDeps,
+} from "../builder/dependency-collector";
+import { extractAccessMap } from "../builder/access-extractor";
 
 // Re-export for convenience
 export { buildContextPackages, buildModulesBundle, buildStyles, isContextPackage };
@@ -168,6 +173,22 @@ export async function buildAll(
 
   saveBuildCache(ws.arcDir, cache);
 
+  // v0.6 deploy artifacts: framework + per-module dependency manifests + access
+  // map. Generated unconditionally — runtime container needs them to bun-install
+  // and to enforce protectBy rules. Order matters: deps before access (access
+  // extraction subprocess imports server bundles whose own deps may matter).
+  collectFrameworkDeps(ws.arcDir, ws.rootDir, ws.packages);
+  for (const pkg of ws.packages) {
+    collectModuleDeps(ws.arcDir, pkg);
+  }
+  try {
+    await extractAccessMap(ws.arcDir, ws.packages);
+  } catch (e) {
+    err(`access-extractor failed: ${(e as Error).message}`);
+    // Don't fail the build — protection rules will be empty server-side but
+    // the rest of the deploy can still proceed.
+  }
+
   const finalManifest = assembleManifest(ws, modulesResult.modules, cache);
   writeFileSync(
     join(ws.modulesDir, "manifest.json"),